SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #88

November 07, 2006

One big piece of news this week is that encryption will be automatically included in hard drives starting in the spring. You'll learn all about it in a case study of a Navy site that implemented on-drive, hardware encryption and also learn about the other new developments in encryption and protecting data at rest. All at the Secure Storage and Encryption Summit in Washington December 6-7.
http://www.sans.org/mclean06/

---

TOP OF THE NEWS

Ten Arrested in Credit Card Scam
Classified Documents Found in Search of a Los Alamos Trailer
Seagate Technology Automatically Encrypts Data Written to Hard Disk

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Four Arrested in Chile for Cyber Intrusions
Fourteen Arrested in International ID Fraud Investigation
Spanish Judge Dismisses Case Against Alleged File Sharer
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
CSIA Invites White Papers on Cyber Security R&D
SPYWARE, SPAM & PHISHING
Zango Agrees to Settle FTC Charges
Spear Phishers Target Medical Center Employees
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Remote Code Execution Flaw in Microsoft XML Core Services
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds Info. on 1,243 Villanova Univ. Students and Staff
Scrubbed Laptop Still Held Sensitive Data
Starbucks' Missing Laptops Hold Employee Information
MISCELLANEOUS
UK Healthcare IT System Will Hold Citizens' Medical Records
HBO Documentary "Hacking Democracy"

---

********************* Sponsored By Symark Software **********************

How do you guard against sabotage, theft or unauthorized access of data? Sudo doesn't provide the accountability for "privileged" accounts required by COBIT 4.0/ISO17799. Learn how PowerBroker, the most widely used solution for controlling Unix/Linux superuser privileges, helps you meet data privacy and compliance requirements. ALERT: Download the FREE White Paper " PowerBroker vs. sudo."
http://www.sans.org/info/1768

*************************************************************************

Best Deal on the Nation's number One Rated Hands-On Security Training Tomorrow is the last day for big saving. The nation's top security teachers; 10 full tracks of hands-on, state of the art security and audit training, seven short courses; briefings on the 20 billion dollar cyber crime wave; a great expo, plus the top ten trends in cyber security for 2007. All in Washington, DC, December 9-16
http://www.sans.org/cdieast06/event.php

*************************************************************************

---

TOP OF THE NEWS

Ten Arrested in Credit Card Scam (3 November 2006)

Law enforcement authorities in Will County, Illinois have charged a dozen people with felony theft in connection with selling the credit card numbers of individuals who stayed in seven different Joliet-area motels. Four of those charged are motel owners; the rest are employees. The hotel staffers reportedly sold the credit card numbers for US$100 each; accounts with higher limits sold for as much as US$500. An informant says he has bought at least 10,000 credit card numbers from area motels in the last six years. Ten of the people have been taken into custody. The suspects allegedly targeted customers who were not from the area and waited up to a year after customers had stayed at the motels to sell the credit card information.
-http://www.suntimes.com/news/metro/122699,CST-NWS-scam03.article

Classified Documents Found in Search of a Los Alamos Trailer (6, 4, 3 & 2 November 2006)

It now appears that a search of a Los Alamos, NM trailer turned up more than just three thumb drives from Los Alamos National Laboratory; 228 printed documents from LANL containing classified intelligence and weapons data were also found. The thumb drives also hold classified documents. Los Alamos police searched the trailer when they responded to a report of a fight and discovered a man wanted on a probation violation as well as drug paraphernalia. The trailer belonged to a woman who had worked as a laboratory archivist at LANL.
-http://www.upi.com/NewsTrack/view.php?StoryID=20061104-063805-7735r
(please note this site requires free registration)
-http://www.latimes.com/news/nationworld/nation/la-na-lab2nov02,1,6321678.story?c
oll=la-headlines-nation&ctrack=1&cset=true
-http://www.krqe.com/expanded.asp?ID=18010
-http://www.freenewmexican.com/news/51621.html

Seagate Technology Automatically Encrypts Data Written to Hard Disk (31 October 2006)

Seagate has developed technology that can automatically encrypt all data written to a hard-disk drive. The DriveTrust Technology is currently available in Seagate DB35 disk drives used in digital entertainment devices; the company expects to ship a hard-disk drive for notebooks that uses DriveTrust early next year. The drive for the notebook will use 128-bit Advanced Encryption Standard (AES) encryption. Users will be asked to create a password when they start up their notebook computers for the first time; the machine will require the password every time it boots up.
-http://news.com.com/2102-1029_3-6130824.html?tag=st.util.print
Editor's Note (Ullrich): sounds like a much 'saner' approach then self destruct hard drives under development by other companies. But comes back down to picking a hard to guess password (and not forgetting it). This will not eliminate more sophisticated solutions with features like key escrow for enterprise deployments.
(Northcutt): Reminds me of the quote sometimes attributed to Gen. Forrest, Seagate got there "fustest with the mostest." A TCG standard is a long way away, but Seagate is here now and they are probably big enough to force the standard to interoperate with them. People are desperate for solutions right now. I wonder if I can back fit a drive onto my laptop. Most of the news stories appear to be based on their press release, which has some good information:
-http://www.seagate.com/cda/newsinfo/newsroom/releases/article/0,1121,3347,00.htm
l

(Grefer): For subscribers outside the US who might be affected by export restrictions on AES, products using DES or 3DES, such as LaCie's Mobile Hard Drive, may be easier to obtain.
-http://www.eweek.com/print_article2/0,1217,a=192417,00.asp]

---

************************ Sponsored Links: *****************************

1) Meeting compliance regulations shouldn_t mean sacrificing your security budget. Learn how to evaluate SIM solutions.
http://www.sans.org/info/1769

2) ALERT: "How A Hacker Launches A Blind SQL Injection Attack!"- White Paper
http://www.sans.org/info/1770

3) Using Real-Time Log Analysis to Defend Against Network Attacks and Insider Abuse - Live Webinar
http://www.sans.org/info/1771

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Four Arrested in Chile for Cyber Intrusions (6 November 2006)

Four men have been arrested in Chile for breaking into the websites of NASA and the Chilean finance ministry as well as websites of governments in other countries, including Israel, Turkey and Venezuela. The men are accused of breaching the security of more than 8,000 web sites around the world. The arrests follow an eight-month investigation that saw Chilean police working with Interpol, and intelligence services from the US, Israel and a number of Latin American countries.
-http://news.bbc.co.uk/2/hi/americas/6122706.stm
[Editor's Note (Schultz): It is encouraging to see genuine evidence of international cooperation in pursuing computer crime, something that has in general been missing in dealing with incidents that have crossed international boundaries.]

Fourteen Arrested in International ID Fraud Investigation (3 November 2006)

A two-year investigation known as Operation Cardkeeper targeted an online black market for stolen financial account information used to commit identity fraud; at least 14 people have already been arrested. The FBI, together with Polish investigators, identified suspects in the case who were trading stolen information. Three Americans have been arrested and the arrests of two more were imminent last week. Eleven Polish nationals were also arrested in the scheme. "Warrants are also being served in Romania as part of a continuing investigation."
-http://news.com.com/2102-7348_3-6132271.html?tag=st.util.print

-http://www.washingtonpost.com/wp-dyn/content/article/2006/11/02/AR2006110201579_
pf.html
-http://www.theregister.co.uk/2006/11/03/operation_cardkeeper_phishing_arrests/pr
int.html
[Editor's Note (Honan): Law Enforcement Agencies worldwide have a tough job but they are working hard to coordinate their efforts against cybercriminals. It is good to see their hard work pay dividends and hopefully we will see more of these stories develop.]

Spanish Judge Dismisses Case Against Alleged File Sharer (3 November 2006)

A Spanish judge dismissed a case brought against a man for file-sharing, ruling that Spanish law makes no provision to punish someone who has downloaded music for personal use. The man allegedly downloaded the songs and offered them on CD through email and chat rooms. There is no evidence the man made any money from his alleged activity. Plaintiffs had sought a two-year sentence; Promusicae, the Spanish recording industry federation, will appeal.
-http://www.theregister.co.uk/2006/11/03/spanish_judge_says_downloading_legal/pri
nt.html
-http://www.smh.com.au/news/Technology/Spanish-court-dismisses-case-against-man-w
ho-shared-music-on-Internet/2006/11/03/1162340014014.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

CSIA Invites White Papers on Cyber Security R&D (31 October 2006)

The US federal government's Cyber Security Information Assurance (CSIA) Interagency Working Group (IWG) has issued an "invitation to submit white papers on developing a roadmap for cyber security and information assurance research and development." The papers are asked to address one or more of a series of eight questions and should be no more than five pages long. The deadline for submitting papers is January 31, 2007. "Papers submitted by November 30, 2006 will be used in planning workshops that will be held in 2007."
-https://www.nitrd.gov/subcommittee/csia/CSIA_White_Papers_Final_103106.pdf
-http://www.nitrd.gov/subcommittee/csia.html

SPYWARE, SPAM & PHISHING

Zango Agrees to Settle FTC Charges (3 November 2006)

The US Federal Trade Commission (FTC) has fined Zango, formerly known as 180Solutions, US$3 million for downloading adware onto computers in the US without permission and for failing to provide a way to remove the offending malware. The FTC estimates that Zango's programs were surreptitiously downloaded more than 70 million times, resulting in more than 6.9 billion pop-up advertisements. Zango says it will now ask consumers before downloading software onto their computers and will offer a method for removing the adware.
-http://www.theregister.com/2006/11/03/ftc_fines_zango/print.html
-http://www.ftc.gov/opa/2006/11/zango.htm
[Editor's Note (Pescatore): Another example of the FTC doing very good work in this area. It is very refreshing to continually see a government agency in the news on the *asset* side of the security ledger. ]

Spear Phishers Target Medical Center Employees (1 November 2006)

Spear phishers targeted employees at Dekalb Medical Center in Decatur, GA, sending them emails with the sender's domain spoofed to appear to come from their employer. The emails told them they were being laid off and offered a link to what was purported to be a career counseling web site. People who clicked on the link had a keystroke logger downloaded to their computers. In spear phishing, messages _pically manipulated to appear to come from within the recipient's organization to evade filters. The messages are also sent to a small, targeted group of individuals.
-http://www.networkworld.com/news/2006/110106-spam-spear-phishing.html?page=1
-http://www.theregister.co.uk/2006/11/03/dismissal_spyware_spam_scam/print.html
[Editor's Note (Pescatore): Another common targeted phishing attack targets company employees saying "Sarbanes Oxley has required yet another password change - please enter your old password and choose a new one..." with the phishing site sometimes being located on a compromised internal PC or server. The newly released IE7 and Firefox browsers have much better protections for detecting and blocking known phishing sites, but these very targeted phishing attacks don't show up in the anti-phishing databases - enterprises need to be able to quickly detect unauthorized servers and processes on their internal networks.
(Honan): Two steps you can take to help mitigate the risk of Spear Phishing, firstly user education on how to spot fraudulent emails and secondly configure your email server to reject any external emails purporting to come from your domain without the corresponding IP addresses. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Remote Code Execution Flaw in Microsoft XML Core Services (3 November 2006)

Microsoft has acknowledged a remote code execution vulnerability in Microsoft XML Core Services. The flaw lies in the XMLHTTP 4.0 ActiveX Control and has already been targeted by "limited attacks." Users would have to be manipulated into visiting a specially crafted web site for the flaw to be exploited. Users running Windows Server 2003 and Windows Server 2003 with SP1 in default configurations, with the Enhanced Security Configuration turned on, are not at risk. Microsoft has suggested several workarounds to help protect users until a patch is available.
-http://www.microsoft.com/technet/security/advisory/927892.mspx

-http://www.eweek.com/article2/0,1895,2052269,00.asp
[Editor's Note (Boeckman): For Microsoft to suggest that a mitigating factor is "that an attacker would have to persuade a user to visit a malicious web site" is disingenuous. This is trivial to do with minimal effort, and should not be considered a mitigating factor. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Laptop Holds Info. on 1,243 Villanova Univ. Students and Staff (3 November 2006)

A laptop computer stolen from an insurance firm in Plymouth Meeting, PA contains names, birthdates and driver's license numbers of 1,243 Villanova University students and staff who are insured to drive school vehicles. The computer was stolen in September; Villanova sent notification letters to the drivers on October 26.
-http://cbs3.com/topstories/local_story_307104820.html

Scrubbed Laptop Still Held Sensitive Data (3 November 2006)

A laptop computer that used to belong to Intermountain Healthcare in Utah was scrubbed before it was donated to Deseret Industries. However, the man who bought the laptop discovered a file on the computer that contained personally identifiable information, including names and SSNs, of more than 6,000 people who worked for Intermountain Healthcare in 1999-2000. The affected employees have been notified. Intermountain stopped using SSNs as unique employee identifiers several years ago. Intermountain now has hard drives demolished when they are no longer in use.
-http://deseretnews.com/dn/print/1,1442,650203974,00.html
[Editor's Note (Ulrich): Note that the company has a contract with Dell to demolish the hard drives. How do they get them to Dell without losing them in the same black hole that sucks up backup tapes? Encrypt your data in the first place, and there is one worry less. Or how hard is it to hire a strong guy with a hammer (or a not so strong guy with a shot gun).
(Schultz): Unfortunately, "scrubbed" has become an ambiguous term. Someone who claims that a hard drive has been "scrubbed" may not in reality have the slightest idea of what has actually become of the data residing on that drive. ]

Starbucks' Missing Laptops Hold Employee Information (3 November 2006)

Starbucks Corp. has acknowledged that it cannot account for four laptop computers, two of which hold names, addresses and SSNs of approximately 60,000 current and former employees. The computers were discovered to be missing from Starbucks' corporate support center in Seattle in September. The company is in the process of notifying affected employees. There are no reports that the data have been misused.
-http://www.centredaily.com/mld/centredaily/business/15923874.htm?template=conten
tModules/printstory.jsp

MISCELLANEOUS

UK Healthcare IT System Will Hold Citizens' Medical Records (6 & 2 November 2006)

According to a report in The Guardian, the medical records of as many as 50 million UK citizens will be placed in the new NHS IT system. The program is forging ahead with the assumption of "implicit consent." Patients may opt out of the system, although deciding to disclose medical information only with explicit consent each time could jeopardize one's health in the event of an accident. Opting out will not remove the information from the national database. An NHS spokesperson said "external access to its patient records
[is not permitted ]
unless ... explicitly required by law." The system was designed with the aim of helping healthcare professionals share information and provide better care for patients.
-http://www.theregister.co.uk/2006/11/06/nhs_records/print.html

-http://politics.guardian.co.uk/publicservices/story/0,,1937059,00.html

HBO Documentary "Hacking Democracy" (2 November 2006)

An HBO documentary on the risks of voting machines first aired Thursday November 2. As the election approaches this is becoming a significant issue. In the 2000 presidential election, an electronic voting machine withheld over 16,000 vote for Al Gore.
-http://www.hbo.com/docs/programs/hackingdemocracy/index.html
[Editor's Comment (Northcutt): Very timely show, once again you are probably safest with an absentee ballot or any other method that has a paper trail in the event a recount is needed. Diebold was apparently the star of the show and reacted poorly:
-http://www.theregister.com/2006/11/02/diebold_hacking_democracy/
-http://www.hollywoodreporter.com/hr/content_display/news/e3iu1kJn0r6mbsE3T+LOOIm
OQ%3D%3D
Diebold's rebuttal can be found:
-http://www6.diebold.com/dieboldes/pdf/hbopointbypoint.pdf]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/